In an effort to see just what could be harvested from a P2P network, reporter Avi Baumstein of InformationWeek went on a fishing expedition. The results were surprising and should be seen by system administrators at the corporate level as a cautionary tale.
Using LimeWire Pro on the Gnutella network, Avi ran high level searches on a number of generic terms such as "audit," "RFP," "proposal," and "minutes" and limited the return to documents. While the first attempt yielded only a few results, the second attempt was more promising. Using LimeWire's navigational tools, he discovered the files of a consultant for a major accounting firm along with some really bad music. Those files included internal audit plans as well as the financial results from a few companies.
Giddy from my quick success, I tried other search terms and slogged through dozens of computers full of tailings such as High School Musical and Fall Out Boy, until I entered "ssn" for Social Security number. LimeWire, which displays the IP address of the computer hosting each file a search returns, showed an entire page of results for ssn, all with the same IP address. Using "browse host," I discovered a mother lode of bank passwords and credit card numbers, a few dozen files labeled as Equifax credit reports, and a handful of tax returns.
I'd stumbled upon what's known as an information concentrator. These are people who do what I was doing — troll the P2P networks for files with personal data. But their intentions are far more sinister — typically identity theft. Most likely this person was inadvertently re-sharing the confidential information he had found, making the same mistakes with P2P that his prey had made.
While most businesses have regulations in place to regulate or outlaw the uses of P2P on company machines, they do business with vendors whose security policies may not be as stringent. This opens the company's information to potential risk if the vendor uses P2P and has set global sharing.
Your company very likely has policies in place to avoid this situation, but do you have vendor agreements that limit how your company information will be managed? And even if you do, how would you go about checking for compliance? I know of a company that has very stringent rules about how they manage security, but they allow outside contractors to use their own equipment on the corporate network. That company deals with financial information. The same is true of a local insurer. So policy aside, how safe is your network?
Your Data and the P2P Peril (Information Week)
————————————————————————————————————————Stay on top of the latest tech news
Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!